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Abstract 

Symbolic  executions  of  event*driven  simulations  tend  to  split  into  many  cases. 
The  substitution  of  non-sclective  trace  for  selective  trace  eliminates  this  case 
splitting  for  some  elements.  Case  merging  using  conditional  expressions  is  a  more 
general  technique  for  eliminating  case  splitting. 

New  criteria  for  the  comparison  of  two  programs  apply  to  both  deterministic 
and  nondeterministic  models,  with  and  without  don’t-cares.  They  allow  hierarchical 
verification  and  facilitate  the  verification  of  programs  with  loops.  A  modification  of 
a  top-down  hierarchical  design  methodology  allows  partitioned  verification  even 
when  the  design  introduces  new  timing  details. 

Key  Words  and  Phrases:  event-driven  simulation  with  selective  trace,  non  selective 

trace,  case  analysis,  case  merging,  graph  models  for 
behavior,  hierarchical  partitioned  (piecewise)  verification 
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Abstract 


This  thesis  investigates  two  aspects  of  the  functional  verification  problem  in 


digital  hardware  design.  First,  Jt  discusses  the  reduction  of  case  splitting  in  the 
symbolic  execution  of  event-driven  simulations^  Sooond.  it  defines  criteria  for 
consistency  between  two  hardware  descriptions. 

Symbolic  executions  of  event-driven  simulations  tend  to  split  into  many 
subcases  due  to  the  event  detection  mechanism.  The  substitution  of  non-selective 
trace  for  selective  trace  eliminates  this  case  splitting  for  combinational  elements.  In 
general,  an  inductive  assertion  analysis  or  a  symbolic  execution  test  can  determine 
whether  the  substitution  is  correct  for  a  particular  element  Case  merging  using 
conditional  expressions  is  a  more  general  technique  for  eliminating  case  splitting, 
but  it  tends  to  generate  complex  symbolic  expressions.  Case  merging  is  most  likely 
to  be  beneficial  for  functional  verification  when  the  simulation  relation  is  sparse  and 
the  symbolic  expression  complexity  grows  slowly^ 

<'-^Milner  and  Brand  defined  criteria  for  the  comparison  of  two  programs  to 

— - - v  cLe.f*r\ij 

establish  their  consistency.  This  thesis  extends  their  work  by  defining-  a  criterion 
that  applies  to  both  deterministic  and  nondeterministic  models,  with  and  without 
don’fcares.  Hierarchical  verification  is  demonstrated  for  the  new  criterion.  This 
criterion  is  also  modified  to  facilitate  the  verification  of  programs  with  loops.  The 
-modified- critcrion-is  shown  to  retain  intuitive  notions  of  correctness  captured  by  the 


first  criterion. 


Finally,  a  modification  of  the  hierarchical  design  methodology  allows  die 
application  of  Brand's  theorem  for  partitioned  verification  even  when  the  design 
introduces  new  timing  details.  The  introduction  of  new  timing  details  is  performed 
separately  from  the  introduction  of  new  structural  detail 
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This  thesis  investigates  two  aspects  of  the  verification  problem.  First,  it 
considers  methods  for  reducing  case  splitting  in  the  symbolic  execution  of  eveot- 


ibolic  execution  is  a  modification  of  conventional  simulation  that  tests  the  Alternatively,  the  input  for  functional  verification  may  be  a  single  hardware 

description  ideally  for  all  possible  input  values  simultaneously.  Such  an  description  annotated  with  assertions,  where  the  assertions  alone  constitute  a 

may  split  into  many  separate  cases  Cease  splitting**). 


necessary  for  a  design  to  be  correct  A  design  can  be  correct  (consistent  with  the 
original  specification)  without  being  equivalent  to  the  original  specification,  due  to 


cases  in  symbolic  executions  can  be  reduced  by  substituting  non-sclectivc  trace  for 
selective  dace.  Chapter  5  describes  case  merging,  a  more  general  technique  for 
reducing  the  number  of  cases.  Case  merging  tends  to  generate  complex  symbolic 
exoresions,  increasing  the  cost  of  the  analysis^  Chapter  6  presents  two  examples 


unknown  value.  Operators  will  take  symbolic  operands  and  return  symbolic  results. 
Hie  advantage  of  symbolic  execution  is  that  to  tests  the  program  for  . «  passible 
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typical  approach  is  to  completely  separate  the  two  descriptions.  W.C.  Carter  ct 


technology-dependent,  requiring  a  separate  compiler  for  each  target  technology. 
The  manual  design  contains  many  implementation  details.  In  the  translation  Furthermore,  the  approach  still  requires  the  comparison  of  two  different 

of  this  design,  these  details  are  removed,  leaving  only  a  description  of  the  desired  descriptions.  Roth  and  Kawato  handled  this  problem  by  requiring  that  the  manual 


mechanism,  substituting  non-sclectivc  trace  for  selective  trace  (Chapter  4).  In  other 
cases,  Cheatham's  approach  may  be  useful. 


Milner’s  result  concerning  the  transitivity  or  program  consistency  assumes 
partitions  on  the  vertex  (data)  space  and  restrictions  on  the  simulation  relation, 
e  MHimptious  reasonable  lor  the  terminating  programs  with  which  Milner  was 


program  for  many  different  values  of  Ibe  program  inputs;  idvaWy  for  aJ)  possible 


After  the  first  execution  of  process  I,  the  simulation  has  been  split  into  M 
paths.  For  each  of  the  M  paths,  the  subsequent  execution  of  process  2  will  split  the 
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Note  that  even  the  references  to  WasUpdaied  in  the  repeal  condition  are  4.2.! .  Generalized  Process  of  Interest 

ccssary.  A  weaker  test  is  adequate.  All  that  is  required  of  tin  substitute 

ition  C<md  is  ^  Process  *  ^  process  of  interest  Assume  that  at  sonic  point  in 

Vr€5:  (Ne'Clvng'dlA]  or  Ne,Changed\B^)  D  CW(s)  .  haVC  0,6  ^  42a  ™e  SeC°'‘d  ^  on,y  fo,kw» 

aid  be  correct  to  replace  the  repeat  statement  by  5  may  aC,Ua"y  ^  10  fl‘her  paUSC  aftcr  *  Mam^  ** 


completely  eliminated  simply  by  replacing  selective  trace  by  non-sclective  trace.  equivalent,  then  we  can  substitute  version  (b)  for  version  (a).  This  eliminates 

with  no  other  changes.  This  section  characterizes  some  processes  for  which  this  is  splitting  in  this  process,  since  and  S  never  introduce  case  splits. 


4.2.2.  Program  Stale  •  P^s)  is  the  state  obtained  from  s  by  action  of  process  /  in  one  cobegia 


Returning  to  Figure  4-2,  the  actions  of  the  two  processes  arc  clearly  identical  if 


In  conclusion,  given  a  code  segment  of  the  form  shown  in  Figure  4-4a  (NetC!tanged\A\  or  NetChanged[D\) 

satisfying  the  properties  given  in  Section  4.2.3.  we  can  replace  it  by  the  code  in  \yc  wish  to  replace  this  bv  C 

•  3  non  * 

Figure  4-4b  if  Eq.  (4.7)  is  satisfied:  ( WasUpdatcd[A \  or  WgsU pdated\B\) 


Figure  4-5:  Modified  NOK-gate  process 


that  can  be  replaced  by  C)ioH  has  become  a  conventional  software  verification  4.2.6.  Another  Generalized  Process 

problem;  that  is.  the  proof  of  the  verification  conditions  implied  by  the  assertions.  ,n  lhjs  app|jcation,  assertions  may  lend  to  be  cumbersome  and  redundant. 


No  further  analysis  of  path  (c)  is  required ;  the  definition  of  Ctmd  guarantees 


Then  path  (c)  is  always  correct,  while  the  correctness  of  path  (a)  implies  the  This  substitution  is  also  possible  in  the  following  more  complex  process  code, 


Section  5.1  shows  case  merging  for  a  couple  examples.  Section  5.2  describes 


Note  that  in  a  symbolic  simulation,  LPc  may  have  symbolic  (not  constant)  an  equivalent  process  of  a  form  similar  to  that  in  Figure  5-6.  Ibis  resulting  process 

values.  This  implies  that  in  a  case  merging  symbolic  simulation,  we  cannot  uniquely  can  be  executed  symbolically  without  case  splitting. 


termination  of  the  loop.  IJne  10  in  Figure  5-10  makes  the  necessary  check.  For 
conventional  execution,  UseLPc  is  always  i'HUt  or  FALSE,  so  the  following  lest 


change.  Similarly,  the  conditional  adjustment  to  Vars[\b\\  and  LPc\[b  })  in 


The  gmding  principle  for  the  removal  or  edges  is  as  follows:  In  the  topological  the  fact  that  Tarjans  algorithm  to  find  strongly  connected  components  (AH74) 

sort  ail  vertices  (basic  blocks)  in  the  body  of  the  loop  should  precede  vertices  for  directly  yidds  a  topo,ogica,  when  applied  to  a  loop-free  graph, 

code  following  the  loop.  This  ensures  that  when  the  process  is  in  a  loop,  it  will 

completely  exit  the  loop  before  proceeding  from  the  loop.  The  choice  of  edges  Dc,ctc  all  self-loops  <v,  v>  in  the  flow  graph  for  the  process.  Cali  the 


The  following  algorithm  describes  the  assignment  of  vertex  (block)  pnontics 

in  graphs  containing  loops.  It  selectively  removes  edges  until  the  graph  is  loop  free.  5.  Choose  a  vertex  s  in  component  /  such  that  there  exists  an  edge  <s,  /> 

at  which  point  a  topological  sort  gives  the  vertex  priorities.  This  algorithm  exploits  w,ltl  COMI*(0=  w.  Remove  from  the  graph  all  edges  <s,  w>  for  which  COMP(m)  =  /. 


Repeat  steps  2  through  5  until  step  2  finds  no  strongly  connected  .an  example  can  be  constructed  in  which  000  passes  are  actually 


simulation  would  aim  to  reduce  the  complexity  of  symbolic  expressions,  since  the 
comparison  of  symbolic  Boolean  expressions  is  np-hard,  for  example. 


5.6.  Symbolic  Execution  Summary 
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also  attempt  simplification  to  make  the  strings  less  complex.  siring,  an  0(1)  pointer  comparison. 
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the  initial  value  assignments  /  and  r  for  each  path  guarantee  that  we  have  the  initialization  of  some  pertinent  variables  and  the  symbolic  results  for  variable 

V  value  assignments  r  and  r  represented  APPcnd**  C,  the  program  counter  of  is  rcpicscntcd  in  a  distributed 

by  this  symbolic  execution;  r  R  r  fashion  by  array  LPc.)  We  assume  that  the  initial  value  assignments  satisfy  R^. 

Therefore,  wc  need  not  prove  Ftp  (6.1): 


l”he  comparison  of  these  descriptions  by  symbolic  execution  is  similar  to  that 


»ar  M  .  array  [0  .3]  of  Integer',  Pc  Pound  Addr  PI  P2  A!  A2  Pound  Addr 

i  i  i  t  r  /  5 

Dam:  Integer ; 


siinulatic  *•  for  ihc  two  descriptions. 


1.  characteristics  of  the  program  model  (Section  7.5)*  and 

definition.  The  results  for  hierarchical,  partitioned  verification  with  the 

2.  intuitive  understanding  of  correctness  (Sections  7.6  -  7.8) 

simple  criterion  may  also  hold  for  the  extended  criterion,  according  to 
A  single,  simple  criterion  can  be  found  which  is  appropriate  for  a  variety  of  program  a  , 


Section  7.10  shows  a  correspondence  between  the  two  definitions  hit  only  for  counter.  Relation  F  Cl)  X  l)  (an  edge  set)  specifies  how  the  program  maps  any 

U  ~  4  4 


V 


optimizations  performed. 

1  Since  don't-cares  are  allowed  in  the  specification,  we  should  not  require 

that  every  action  of  the  implementation  be  explicitly  given  in  the  specification.  ^  The  ^  (w0  considerations  motivate  a  preference  for  Eq.  (7.8).  The  third 

Eq.  (7.7)  make*  this  requirement,  but  Eq.  (7.8)  does  not.  The  following  example 
illustrates  this  point 


Relation  R 
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/s  .  ?. 
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N/  S/ 
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5  x v 


Figure  7*4:  Example  -  Implementation  program 


deterministic  programs  with  don’t- cares. 


1  When  don’t-cares  were  allowed,  we  did  not  require  every  edge  in  F^  to  not  (3s€  D^J  R^F^UsD)  =  Dl/s)  (7.13) 

be  explicitly  mirrored  in  F^.  However,  when  don’t-cares  arc  not  allowed,  this  Note  that  this  condition  applies  before  the  addition  of  don’t-care  edges.  Under  this 


*5 
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o*  -- 

"O 
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>s 

-O 


Lemma  7.17  covers  !he  case  where  u  and  v  are  m  different  equivalence  classes, 


PROOF:  Make  the  following observations. 


establish  ihe  result.  Figure  7  20b  shows  an  example  that  satisfies  all  the  conditions 

except  F.q.  (7  34),  but  mat  fails  to  satisfy  Fq.  (7.35).  In  particular,  vertex  u  does  not  I cinma  7.19:  I) 

satisfy  Fq.  (7  34).  and  <s,t>  is  in  the  I  US  but  not  the  KIIS  of  Fq  (7. 35). 


such  that  v  F  *  z  along  a  path  containing  no  vertices  m  l)(/|  except  v.  Smce 
[)^  ci  I)/(  (Hq.  (7.33)),  we  now  have  u  V  *  z  along  a  path  containing  no  veil  ices  in 
D  except  u  Therefore  u  €  I)’A  ITtis  contradicts  the  supposition  and  proves  the 


*i  {Hwbkim  remain  to  be  solved  to  achieve  a  unified,  useful  theory 


VERIFICATION  OF  HARDWARE  DESIGN  CORRECTNESS:  SYMBOLIC 
EXECUTION  TECHNIQUE .. (U)  STANFORD  UNIV  CA  COMPUTER 
SYSTEMS  LAB  W  E  CORY  JUN  83  TR-83-241  DAAG29-80- K* 0046 

F/G  9/2 


/ 


MICROCOPY  RESOLUTION  TEST  CHART 

NATIONAL  BUREAU  OF  STANDARDS -1 963 -A 


It  ■  fikdy  that  my  theory  allowing  partitioned  verification  will  include  these  Qf  (he  memory  ^ng  writtcn  jhe  Address  and  Data  lines  are  controlled  by  the 

etnas  in  some  form.  The  requirement  that  every  path  from  a  stopping  point  Wrju  Clrt  strobe,  and  Ack  are  parts  of  the  Function  lines  in  the  two 

cs  a  Mapping  point  ensures  that  adequately  represents  the  behavior  of  Pa.  descriptions.  Note  the  labeling  of  states  by  numbers  in  part  (a)  and  letters  in  part 


Figure  8-2.  The  state  labels  are  taken  from  Figure  8-2.  It  is  desirable  to  verify 
Figure  8*4a  against  Figure  8-3a  and  Figure  8-4b  against  Figure  8-3b,  and  so  verify 


•  the  mt  refinement,  then  he  must  first  alter  the  specification  by  the  addition  of  may  be  taken  from  Figure  8-6.  For  example,  the  circuit  inside  the  dotted  box  is  a 


translstora  into  /*.  yielding  description  Q  in  which  components  communicate  with  The  new  design  methodology  does  require  some  extra  work  on  the  pwt  of  the 

each  other  using  the  new  timing.  Verify  Q  against  P.  designer;  namely,  the  specification  of  translators  which  define  the  refinements  in 


with  each  other  properly. 


Chapter  4  suggests  the  substitution  of  non-selective  trace  for  selective  trace  to 
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The  presence  of  dirtinct.  independent  components  aggravates  this  problem.  If  PrcvkHB  dW  **  symboHc  eXeClrt,°"  to  evcnt-driven  »mutalio" 

cnck  of  I  «*upou«te  nhreys  spite  the  sumfetion  into  N  cases  in  every  time  step.  partiCU,,r’  U  did  ^  invcs‘i*ate  “bs,hution  <*  n0n'SC,CC‘ive  «"»  ** 

then  alter  j  lime  steps,  the  loud  number  of  ernes  tell  be  N*.  selective  trace  to  reduce  case  splitting. 


representing  hardware  descriptions  (or  programs  in  Milner's  case)  by  graph  models 
works  for  components  in  which  every  loop  is  broken  by  a  |Mi71,  Br78J.  This  thesis  extends  their  work. 
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*8 
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3 


This  unifies  the  theory  tor  nondeterministic  models,  with  conditions  that  determine  the  proof, 

whether  Brand's  test  b  appropriate. 


0.2.5.  Strengthening  the  Weak  Links 


{<•».*>€  wxz  |  (3>€  r  I  (» Sr)  a  O'  rz))) 


FigMreB-1:  First  axtnlcrexumpic  to  1  .cmma  2 


input  B-2:  Second  counterexample  to  Lemma  2  Figure  B-3  #>ows  die  several  possible  types  of  state  transit  kin  seqi 


TfcM.  by  rrqwrrmcat  1,  every  path  C,*  Ihm  <a}J>0J2>  reaches  o  stopping  point 
1st  *  be  toe  tost  Mopping  point  on  one  such  path.  This  path  <a2Jb0M2>  C,»  z  does 
at*  «fc  to  A;  otoerwae  two  succeswve  references  to  A  by  C,  would  not  be 
aqpatotot  by  a  Mopping  point,  a  violation  of  the  condition  assumed  in  the  lemma. 
Thsrefeie,  1*=^  Since  r  is  a  stopping  point,  wc  have  d}  €  I. 
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